Skip to content

Integration of the Barac collector and Splunk

Integration of the Barac collector and Splunk

You are here:
< All Topics
Table of Contents

Setting up the HTTP Event Collector (HEC)

  • Setting up the HEC will allow Splunk to receive events from remote (outside) sources
  • Open Splunk and go to settings
    • Click on “data inputs”
  • Click on “HTTP Event Collector”
  • To allow clients to send Events, HEC uses Token based authentication
    • *Events sent without a token will be Rejected*
  • Click on “Global settings”
  • Make sure to “Enable” All tokens
  • Here you are able to set the index and output group. Leave them at default
  • NB: its recommended to check the SSL checkbox for more secure communication.
    • *HEC default port number is 8088 but that can be changed*
  • Remember to save any changes made before continuing
  • Now we need to create an authentication token:
    • Click “new token”
  • Click “next”
  • Click “review”
  • Now click “submit” and you will receive a token.

Pushing the event to the HEC

  • Now we can use a REST client or the CURL tool  to send events to the HEC
  • Use a POST request to the Collector Endpoint on the INDEXER using the port earlier defined in the global settings:
  • Include the authentication token
    • fc478fee-40fc-499a-a191-1ea281980e98
  • Format the event details with JSON
    • “{\”event\”: {\”eventName\”: \”An account has been modified\”,\”eventID\”: \”55\”,\”eventCategory\”: \”user modification\”,\”username\”: \”Hamdi\”,\”sourceip\”: \”192.168.1.22\”,\”sourceport\”: \”6756\”,\”destinationip\”: \”192.168.1.23\”,\”destinationport\”: \”6756\”,\”TimeLine\”: \”GMT\”,\”Description\”: \”blabla\”}}”
  • If you are using Curl with Linux you do not need to put the  \ before the ”
  • If you are using Curl with Windows it is mandatory to include \ before any ” symbol
  • Now you can push the event via the CURL tool as shown in the screenshot below:
  • The response you should see to tell you that it’s successfully done is {“text” : “success” , “code” : 0 }
  • Go back to your Splunk interface to monitor the event and see the results.
    • In the Home page go to Search & Reporting :
  • Now in the search field write something that can match with the event payload  for example the event that we pushed contains ” Hamdi ” as a value of the username field, so in the search section write Hamdi and click the search button
  • And here we are the event is listed with details.

Conclusion 

After following the previous, the Barac-Splunk integration will be able to collect and forward encrypted traffic to the Barac-ETV Platform.   Please note that these current steps are as of 08/10/19 and are subject to change in accordance with any updates to Barac and Splunk.